Wednesday, September 19, 2012

Data Mining Event Tracing for Windows 3

This is continue from the previous 2 posts.

The netsh utility has an interface to enable/disable event tracing for all providers that participate in a given "Scenario". You can tell it you want to use "All" scenarios which enables logging for a large number of providers at the same time.

To start/stop the trace session:

C:\temp>netsh trace start scenario=all tracefile=FIREEVERYTHING2.etl capture=yes correlation=yes
Trace configuration:-------------------------------------------------------------------Status:             RunningTrace File:         FIREEVERYTHING2.etlAppend:             OffCircular:           OnMax Size:           250 MBReport:             Off

C:\temp>netsh trace stopCorrelating traces ... doneGenerating data collection ... doneThe trace file and additional troubleshooting information have been compiled as "C:\temp\".File location = C:\temp\FIREEVERYTHING2.etlTracing session was successfully stopped.

The netsh utility correlates "like events" and generates several log file and reports containing some interesting data.

As expected we have our "FIREEVERYTHING2.etl" file that we can query with wevtutil.exe. This file will have the information recorded from by multiple providers and has all kinds of interesting data in it. But there is also a .CAB file that is worth checking out.

To check on human readable content:
C:\temp>wevtutil qe FIREEVERYTHING2.etl /lf:True /f:Text | more

Here is an example of searching for the "passwd" field in a POST with and without the /f:Text option. With /f:Text it finds zero occurrence, but without it finds two.
C:\temp>wevtutil qe FIREEVERYTHING2.etl /lf:True /f:Text | find /c /i "passwd"0C:\temp>wevtutil qe FIREEVERYTHING2.etl /lf:True | find /c /i "passwd"2

These logs are not just recording actions taken by built in programs like Internet Explorer. Any third party tools that rely on the ETW enabled APIs will also have their information recorded. So fire up the logging and go on a little treasure hunt!